5

I am new in Github. I have generated SSH key and now can see it in the SSH Keys. Is it the public or private key?

I have sent the SSH Key (which I saw under SSH Keys) to my client. He asked whether it is public or not? He wants my private key.

Is there any need of Private SSH key? If so, how do I retrieve it?

Improve this question
3
  • 8
    Tell your client that private keys should not be shared. It's an unreasonable request. Commented Jul 23, 2012 at 14:32
  • Why does the client even need your SSH keys? Commented Jul 23, 2012 at 14:40
  • As a matter of general conduct, never ever disclose a key that you're not 99.99% sure it's not private. Never! Commented Jul 23, 2012 at 14:44

3 Answers 3

Reset to default
6

TL;DR

You can't retrieve a private key from a GitHub account, but you can if you explicitly add the key file to a published repository. GitHub also limits you to seeing the fingerprint of public keys attached to an account; to my knowledge, you can't view an account's public keys on GitHub, either.

Private vs. Public Keys

An SSH public key is stored on a single line, and starts with a key-type field such as ssh-rsa or ecdsa-sha2-nistp256. A private key has multiple lines, and a header that identifies the key block. For example:

-----BEGIN RSA PRIVATE KEY-----

GitHub Only Accepts Public Keys

You can't actually add a valid private key to a GitHub account anyway. Currently, GitHub only accepts RSA and DSA public keys for this purpose. If you try to add a different key-type, or an invalid public key of any sort, you receive an error like the following:

Key is invalid. It must begin with 'ssh-rsa' or 'ssh-dss'. Check that you're copying the public half of the key

Private Keys Are Not Stored Server-Side in GitHub Accounts

The upshot of all this is that--quite aside from the fact that you should never store your private keys server-side anyway--it isn't possible to attach a private key to a GitHub account. Therefore, there's no way to retrieve the private half of a key-pair from a GitHub account.

Of course, while you can't add SSH private keys to a GitHub account, you can add them to a published repository. As an example of this, the Vagrant project publishes a full key-pair, but it's a special case.

Publishing your secret key is inherently insecure. Don't do it unless you understand the implications.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Actually you're not limited to viewing only the fingerprints. You can view all the user's public keys (known to GitHub) themselves at https://github.com/<username>.keys.
@Ruslan Thanks for this tip. It's not exposed via the UI, and I can't find it documented, but it certainly seems to work for finding public keys.
@Ruslan Is there any similar way but to view a user's gpg public keys?
@VinhVO I don't have any GPG keys so can't check, but I suppose they'd be in the same list, since they (their fingerprints) are listed together in the corresponding section of the UI.
@VinhVO You can view the GPG keys at https://github.com/<username>.gpg
|
6

Private keys being... private, they are only stored on your side, to help authenticate you. What is exported is the public key, stored on a public site (github.com)

In addition of https://github.com/<username>.keys to list your public SSH keys stored on GitHub, you also have the command-line gh ssh-key list, using the GitHub CLI.

And since gh 2.6.1, that command adds header and id column to the list output as discussed in #6136 (comment). (PR 6270 )

In TTY mode, the header is displayed.
In non-TTY mode, the id column is appended at the end to maintain the order of existing columns.

Example output:

$ gh ssh-key list
TITLE     ID        KEY                                                                               ADDED
Test Key  70929690  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuZpG/RQ20C4NxoyhuS4D6+LmSB+ma9eVbeauBaf68l  4d
Test Key  70929824  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1dxiSc/vhYD7QRAxTL67BguPioiDRYPtptoSy9NCHd  4d
Improve this answer

Comments

3

The SSH public keys that you've registered to use with GitHub are located at:

https://github.com/settings/keys

Your SSH authentication public keys are available in a simple list at:

https://github.com/username.keys

The SSH auth public keys are also available in a simple JSON array at:

https://api.github.com/users/username/keys

IMHO, this is somewhat a questionable security practice, as your authentication keys should really be only between you and Github. In my own case, I have set up my ~/.ssh/config to StrictHostKeyChecking yes & UserKnownHostsFile ~/.ssh/known_hosts_githuband other ~/.ssh/config tightening so that I these keys are never used anywhere else.

GitHub also now support SSH signing public keys (an alternative to GPG), and these are publicly available in a JSON array at:

https://api.github.com/users/username/ssh_signing_keys

Having access to these SSH signing keys allows you to verify commits, tags, and even (if you use detached SSH signatures) code releases, supporting tools to verify the provenance of a GitHub repo.

Again, like my SSH auth keys, I have one for each active machine I use with GitHub, and these keys are distinct from my SSH auth keys (a best practice and a NIST recommendation).

Right now there isn't a best practice for how to revoke old SSH signing keys.

-- Christopher Allen

Improve this answer

1 Comment

I found the /users/username/keys link most useful to me. Each key is the full public key and is associated with an "id". In the online settings, you can inspect element on individual SSH keys, go to the nearest <li> tag, and associate the key with an element — ex. id="ssh-key-73712345" — and then useful metadata, such as the name you gave the key.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.